Re: Trying to find the guy torrenting on our network at work

Have you access to the routers and their logs?Maybe some quality time with Wireshark?

Edit: Of course, if you just want it to stop without finding the perpetrator, sometimes a thinly veiled warning about policy, responsibility, consequences, and an ongoing investigation into abuse might make it stop.

Last edited by ewaller (2013-03-18 20:06:50)

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael FaradaySometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing----How to Ask Questions the Smart Way

Re: Trying to find the guy torrenting on our network at work

About how many computers are on this network? I wonder if you could find out who it is using some sort of social hack or something...

EDIT: And how many users?

Unfortunately the network is too big and there are too many users on any given day to approach the problem this way. There are hundreds of users who use the network.

We have many different workstations on network in different departments as well as a Wide Area Network. I have ruled out the possibility of it coming from a workstation computer, I am pretty sure they are torrenting via wireless network connection on a personal laptop.

I will monitor some network traffic tomorrow with wireshark and see what I can find. Usually the ISP catches wind of the torrenting the minute it starts happening and notifys me. I have the torrenters IP and MAC address now, just waiting for them to come back online and torrent some more.

In order to understand recursion, one must first understand recursion.

Re: Trying to find the guy torrenting on our network at work

DeadDingo wrote:

I have the torrenters IP and MAC address now, just waiting for them to come back online and torrent some more.

Assuming they are not too bright, the MAC could tell you what chipset they are using. It might narrow down the search some. On the other hand, you said it appeared to be a printer; maybe they are MAC spoofing already.

How many access points are there with the SSID? Can you track down which one is associated to them? Can you obtain signal strengths from the various clients from the APs?

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael FaradaySometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing----How to Ask Questions the Smart Way

Re: Trying to find the guy torrenting on our network at work

Unfortunately it does seem like whoever it is might be MAC spoofing already given the previous nmap scan.

We have about 10 different access points all broadcasting the same SSID. However, each access point is mounted outside on different buildings. So if I could figure out which SSID is associated to them I could narrow it down to what building it is coming from which would be a huge help. I'm not sure how to go about that, except by logging into each access point and checking the logs for that specific ip address. There must be a better way.

In order to understand recursion, one must first understand recursion.

Re: Trying to find the guy torrenting on our network at work

Introduce username/password system for wireless network access. This is how most universities in germany prevent illegal actions over their network. If they catch the ip address they can check their logs for the userid and thus they know who was the culprit. It may be a lot work, but it may be worth it.

Is the wireless access for private use or are you using it for the workstations and computers too?Every big company I have been too had static ip and wired access only. Personal laptops/smartphones weren't allowed for a reason.

Re: Trying to find the guy torrenting on our network at work

There are a few things regarding our network and security that I would love to change. But for the time being I have to work with what I have. Our wireless network is open access. However, we do have domain username/password authentication required to actually use the wireless. But this was quickly defeated with the silly implementation of the "guest" account access which requires no domain credentials. Unfortunately my place of work loves to make security sacrifices to give way to convince.

I am going to spend a bit of time on WireShark the next few days to see if I can gather a bit more information on this issue.

In order to understand recursion, one must first understand recursion.

Re: Trying to find the guy torrenting on our network at work

Can't you limit the guest-account to the local network and specific protocols like http, and https? Then everyone using torrents will have to login with their username.At least limit the bandwith for guests, maybe to ISDN bandwith.

Re: Trying to find the guy torrenting on our network at work

I can see this is a single user in a quite big network-

If the network is that big, why not just let him/her? Is doing the torrenting from a personal laptop, so probably is not doing constants massive traffic from a seedbox, but is just not turning off his/her torrent client (which probably auto-starts in background)

Re: Trying to find the guy torrenting on our network at work

@Nico666His ISP is contacting him about this, so clearly this needs to be fixed and it shouldn't be allowed to do (possibly) illegal actions from an open network.

@DeadDingoYou might can use this case with your legal department to press changes in the network and security. I know that companies hate to be sued, because it means a lot of lost money. I do not know if your company is on isolated ground, but if it isn't it might even be a stranger, who found this honey pot for himself. If mac spoofing and such techniques are already in use, I would make a list of departments with tech savy people to have a smaller sample to look through first.

EDIT: Shutting down guest account should be the last resort, because whoever thinks it is fine to use his work's network to torrent deservers to be fired. It just shows bad personality which no one needs in a company.

Re: Trying to find the guy torrenting on our network at work

We have about 10 different access points all broadcasting the same SSID. However, each access point is mounted outside on different buildings. So if I could figure out which SSID is associated to them I could narrow it down to what building it is coming from which would be a huge help. I'm not sure how to go about that, except by logging into each access point and checking the logs for that specific ip address. There must be a better way.

maybe a traceroute / tracepath to the ip lists your access points?You could also wait for torrenting access and then shut down one AP after antother until the torrent traffic vanishes. (claim maintenance reasons, e.g. firmware update )

Re: Trying to find the guy torrenting on our network at work

Ha, this is great, we are now being contacted by the Motion Picture Association of America and the Recording Industry Asociation of America.

Meh, just tell the copyright goon squad that it's not your company's duty to enforce their failed business model.

But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.-Lysander Spooner

Re: Trying to find the guy torrenting on our network at work

block ports 1024-65535 these are the areas torrent apps use. try to find is ip(wirshark, and the like) and have a talk.

I agree, I'd go even further and bock outbound ports except the ones needed... just guessing TCP{21,22,80,443}. You should be blocking all unneeded outbound ports anyway.

alphaniner wrote:

Meh, just tell the copyright goon squad that it's not your company's duty to enforce their failed business model.

Unfortunately, this may not be the case depending on the country.

If you are required by law to prevent abuse of your network, this is a policy issue. You need to tell your boss that the law requires you implement measures to prevent this. Your organization can handel the problem one of three ways.

One, technically with you.

Two, legally in court with lawyers.

Three, financially by paying off the MPAA and RIAA.

The option that will save the organization the most money is option number one, technically with you.

It sounds like your boss may not allow you to do it with technical measures. If so, start forwarding the emails from the MPAA and RIAA to the accounting/billing department. That should light a fire under their butts